CVE Vulnerability

CVE-2022-29243

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/nextcloud/server/pull/31658 Patch Third Party Advisory
https://hackerone.com/reports/1153138 Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w Third Party Advisory
https://security.gentoo.org/glsa/202208-17 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Information

Published : 2022-05-31 05:15

Updated : 2022-09-27 02:13

NVD link : CVE-2022-29243

Mitre link : CVE-2022-29243

Products Affected
No products.
CWE
CWE-20

CWE-400